Professional Documents
Culture Documents
May 2008
Disclaimer
This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent.
Fragmentation
SOX
JSOX
FDA
ROHS WEEE
Segregation of Duties
Credit Risk
Project Risk
U.S.
Governance
Germany Japan U.K. France China Canada India Risk Mgmt.
Compliance Governance
Compliance
Risk Mgmt.
Controller IT
Governance
Risk Mgmt.
Compliance Governance
Risk Mgmt.
Security
Proj. Mgmt.
Doc. Mgmt.
ERP
Production
Billing
Integrated GRC
SOX
JSOX
FDA
Segregation Of Duties
Credit Risk
Project Risk
U.S.
Governance
Germany Japan U.K. France China Canada India Risk Mgmt.
Compliance Governance
Compliance
Risk Mgmt.
Controller IT
Governance
Risk Mgmt.
Compliance Governance
Risk Mgmt.
Security
Proj. Mgmt.
Doc. Mgmt.
ERP
Production
Billing
Internal Audit Time and effort for audits IT Operations Manual, error-prone administration Information Security No monitoring of sensitive transactions
Supply Chain
SAP 2008 / Page 5
1 Association of Certified Fraud Examiners, 2006 Report to the Nation on Occupational Fraud and Abuse
Supply Chain
Compliance Trends
By 2010, auditors will expect regulated organizations to detect fraud by performing transaction monitoring on a continuous basis, and 60% of regulated firms will have such an automated process in place1 The broader market for GRC products will subsume this market by 2010, and SoD controls will be offered primarily as embedded capabilities in GRC products/suites (0.8 probability). 1 Process owners are looking to simplify and reduce the cost of compliance 2 Spending on security, segregation of duties, and other solutions that support controls monitoring and automation will increase 2
1 Gartner - MarketScope for Segregation of Duties Controls Within ERP, 2007 2 Gartner The 2006 Planning Guidance for Compliance: Risk-Orientation, Standardization, and Automation, April 2006
SAP 2008 / Page 7
Provides a unified, business-user focused approach Organizes all compliance requirements Creates a common method to measure risks Ensures strategy considers risks Implements and monitors controls in business processes Detects and alerts to exceptions for risks and controls Promotes sustainable operations
Streamline audits
Provide proof
Automate Reviews
Manage by exception
Optimize operations
Automate segregation of duties management Automate access management
Embed cross-function
FIN SCM SRM MFG HR
Promote IT and Line of Business collaboration Enforce accountability with review and approval processes Ease compliance and avoid authorization risk
Embed cross-platform
Identity Management
(Get Clean)
Risk Analysis and Remediation Rapid, cost-effective and comprehensive initial clean-up Enterprise Role Management Enforce SoD compliance at design time
(Stay Clean)
Compliant User Provisioning Prevent SoD violations at run time Superuser Privilege Management Close #1 audit issue with temporary emergency access
(Stay in Control)
Periodic Access Review and Audit Focus on remaining challenges during recurring audits
Get Clean
Risk Analysis and Remediation
Stay Clean
Compliant User Provisioning Superuser Privilege Management Enterprise Role Management
Get Clean
Risk Analysis and Remediation
Stay in Control
Management Oversight Internal Audit
Stay Clean
Compliant User Provisioning Superuser Privilege Management Enterprise Role Management
Get Clean
Risk Analysis and Remediation
Real-time SOD Risk Analysis Critical Transaction Monitoring Cross-Application Integration Remediation Management Mitigation Management Alerts Framework Reporting Real-time Simulation Mandatory Prevention
Prevention
Reporting
Elimination
SAP GRC Access Control, with its comprehensive preconfigured rule set, reflected deep expertise within SAP that would have taken us a very long time to replicate.
Deepak Mehrotra, SOX Compliance Manager, Synopsys Inc.
Risk Identification
End-to-End Automation
The cleanup process has brought a tremendous degree of discipline to the way we think about and manage user access and authorizations.
Deepak Mehrotra, SOX Compliance Manager, Synopsys Inc.
Reporting Reporting
Prevention Prevention
Reduce cost of role maintenance Ease compliance and avoid authorization risk Eliminate errors and enforce best practices Assure audit-ready traceability and security checks New role mapping of business roles to technical roles with SAP GRC Access Control 5.3
Enterprise Rules
Audit log
Across applications
Role
Role
Role
Role
Role
Role
Role
Role
Manager approval
Manual provisioning
Embed cross-enterprise preventive compliance in business process Reduce cost of user administration Improve productivity of end users Provide auditable tracking for auditors
100% automated
Close #1 open audit issue Avoid business obstructions with faster emergency response Reduce audit time
SAP_ALL
New session
Firecall ID SD
New session
Firecall ID MM
New session
Firecall ID FICO
Log
Log
Log
Log
Preassigned FireFighter IDs Access restrictions Validity dates Field-level changes tracked in audit log
Equips internal and external auditors to complete comprehensive and efficient testing
Management
Review Potential Risks Review Policy
Management by exception Automated, pre-built access controls reporting Review of roles, users and mitigation controls
2) Validate that segregation of duties risks are appropriately mitigated on a sample basis
Internal Audit
Owner
Key Areas
Access Risk Identification and Elimination Role Design And Management Compliant User Provisioning Privileged User Access Collaboration Business and IT Periodic Access Review Audit Cycle Management
SAP Benefits
Identification and elimination of
Potential access risks (e.g. segregation of duties violations) and Actual risks (e.g. sensitive transaction monitoring)
Real-time detective and preventive controls cross-enterprise SoD-compliant role-design and management to address the root of the problem Efficient and SoD-compliant user provisioning and de-provisioning from hire to retire Efficient and effective superuser privilege management, with tracking of all activity Enabling business to take accountability for access Automated, pre-built access controls reporting Review of roles, users and mitigation controls Provide documentation to help validate that the business team is following the control process
Business Users
GRC Spend
Increase transparency
Savings for Innovation
CO
ST
Gain flexibility and speed Lower cost of audit and audit-related fees Achieve higher confidence
Manual Efforts
Multiple Tools
Today
Tomorrow
Cross-Enterprise Solution
Cross-Enterprise GRC
Hire-to-Retire
Cross-Functional
Cross-Application
SAP 2007-2008 SAP 2008 / Page 23 / Page 23
Cross-Enterprise Capabilities
SAP GRC Access Control delivers best practice SoD rules library
SAP
Oracle
PeopleSoft
JD Edwards
Consolidations
System Administration
Basis, Security and System Administration Materials Management APO SRM CRM Consolidations
System Administration
Business
IT
Make decisions
Enable decisions
SAP GRC Access Control enables crucial collaboration Business owns the responsibility for Segregation of Duties IT understands the technology to grant or revoke user access
CFO
Business Controls
CIO
Systems Access
Identity Management
User provisioning Risk analysis Audit and compliance, including audit repository Approval workflows Privilege management for business transactions
SAP 2007-2008 SAP 2008 / Page 26 / Page 26
Additional user provisioning Identity synchronization and virtualization Privilege management for applications and resources
Identity Management
Applications
SAP Netweaver IdM IBM SUN
HR HR HR
Self-service
SAP_ALL
Proactive
We used to be in a reaction mode with SAP GRC Access Control we are now in a proactive mode.
A key internal control in any organization is segregation of duties (SoD), which is arduous to achieve manually with all the different transactional access available in SAP software. SAP GRC Access Control automated this function and enabled us to change our process and implement a preventive solution for future ongoing compliance.
Easy
SAP GRC Access Control is easy to implement, and easy to use, and most importantly gives us the ability to ensure we meet regulatory requirements with minimal impact on our staff and business operations.
Automated
We clearly would not have been as successful without this application, in terms of our external reporting requirements for the SEC and the Public Company Accounting Oversight Board.
Reduction in time spent on external/internal audit Reduction in internal/ external audit costs Reduction in time spent managing authorization risk Reduction in costs for managing user authorization risk Reduction in time spent making changes to users and roles Reduction in time required to clean up audit report findings for security 0% 5% 10% 15%
30% 25%
32% 28%
28% 31%
20% 25% 30% 35% 40% 45%
Rating
Strong Negative Caution Promising Positive Strong Positive
About SAP GRC Access Control SAP is the only vendor with a Gartner recommends rating in all technique categories (Static analysis, provisioning support, integrated provisioning workflow, transaction monitoring and emergency access) offers one of the strongest product sets in our analysis, comprehensively addressing all SoD issues across multiple SAP instances. capable of running on multiple ERP platforms
References
Real-World Value
GTS and Access Control part of a large solution selected over Oracle / Hyperion
Created a highly responsive audit environment that enables rapid response and remediation to SOD issues
Achieved ROI in less than 3 months through productivity improvements and reduced audit costs
Synopsys, Inc.
Bacardi
Printronix
Company Location Industry Products/Services Printronix Irvine, California High Tech Global enterprise printing solutions for industrial manufacturing and distribution supply chain $128 million 785 www.printronix.com Virsa Compliance Calibrator
Virsa Compliance Calibrator is easy to implement and easy to use, and most importantly gives us the ability to ensure we meet regulatory requirements with minimal impact on our staff and business operations.
Kate Squyres Manager, IT Compliance Printronix
Why SAP
Virsa Compliance Calibrator is integrated to SAP ERP, enabling streamlined, real-time review of security set-up Depth of functionality and ease of use
Objectives
Enable compliance that is easy to implement and readily accepted by the audit community Implement a solution that is easy to use by business process owners and has minimal impact on IT resources
Benefits
Established readily accepted, audit response processes that have minimized audit time and cost Created a highly responsive audit environment that enables rapid response and remediation to Segregation of Duty (SoD) violations
Implementation Highlights
Implementation was completed on time and within budget; total time to completion was less than six months and met end-of-year audit requirements
Xerox Europe
Wolverine
Company Location Industry Products/Services Revenue Employees Web Site Wolverine World Wide, Inc. Rockford, Michigan Consumer Products Apparel and accessories $1 Billion 4,500 www.wolverineworldwide.com
The SAP application has given the security team a method to quickly identify risks within the system. The simulation feature has been a significant tool to aid in conflict mitigation.
Kiki Lown, Director of Compliance & Administration, Wolverine World Wide, Inc.
SAP Solutions and Services SAP Solutions for Governance, Risk and Compliance; Virsa Compliance Calibrator Partner PricewaterhouseCoopers
Integration with SAP applications helps speed implementation Difficulty documenting Segregation of Duties (SoD) controls SAP GRC solutions give Wolverine compliance managers the ability to identify conflicts Assessing & monitoring internal controls takes significant time Satisfies compliance audit requirements Home-grown solutions are inconsistent and not Alleviates concerns about data integrity comprehensive Benefits Compliance requires high level of change Simplified compliance with Sarbanes-Oxley management Reduced consulting and audit effort and cost Objectives Reduced time needed to make user profile changes Segregation of duty capabilities Improved ability to develop strategy for resolving SoD Sarbanes-Oxley Section 302/404 Compliance conflict problems Risk management Enabled implementation of governance best practices Real-time detection of violations Reduced internal efforts to maintain, control and perform analysis Implementation Highlights Ability to run simulations by user role Compliance Calibrator implemented in two weeks
Why SAP
Resources
www.sap.com/GRC Solutions for automated end-to-end GRC Processes www.sap.com/solutions/grc/accessandauthorization/index.epx SAP GRC Access Control www.sap.com/solutions/grc/brochures/index.epx SAP Solutions for GRC: Brochures & whitepapers www.sap.com/solutions/grc/demos/index.epx SAP Solutions for GRC: Demos